24/7 companion support
DeBrah understands your emotional patterns, remembers your journey, and provides support whenever you need it — day or night.
Meet DeBrah, the AI companion who remembers your story and reaches out first. Built on MiAngel Middleware AI — patent-pending trust layer.
DeBrah remembers what matters. She notices when things shift. Every interaction is sealed by MiAngel Middleware AI — patent-pending cryptographic trust that proves your privacy in real time.
DeBrah understands your emotional patterns, remembers your journey, and provides support whenever you need it — day or night.
Emotional intelligence that tracks patterns, predicts mood shifts, and provides personalized insights to help you understand your mental wellness.
Express your thoughts in a secure, encrypted journal. AI-powered prompts help you process emotions while your entries stay cryptographically protected.
Every DeBrah interaction runs on MiAngel Middleware AI™ (GMAI). This patent-protected control plane handles biometric attestation, salience-weighted memory, crisis escalation, and tamper-evident audits — so the app feels effortless while the infrastructure proves every promise in real time.
U.S. Patent Application #19/385,439
Built on HIPAA BAAs with OpenAI, Google Cloud, Anthropic
Cryptographic middleware, not a model
MiAngel builds the Trust Layer for AI. DeBrah is our consumer proof that trust can be cryptographic — not a claim, not a policy, but infrastructure that verifies your privacy every time you speak.
Meet DeBrah →Last Updated: July 6, 2026
Our Service may contain links to third-party sites. We are not responsible for their content or privacy practices. Please review their policies before using their services.
DeBrah, MiAngel's AI companion, is NOT available to children under 13 under any circumstances. Consistent with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from anyone under 13, and if we discover such an account we will delete it and all associated data immediately. Users aged 13 to 17 may use DeBrah only with the verifiable consent of a parent or legal caregiver. Before any account for a user under 18 is activated, we require completion of our verifiable parental or caregiver consent process, and we may request proof of age and of the consenting adult's authority at any time. Parents and caregivers may review their minor's information, and may revoke consent at any time by contacting legal@miangel.ai, which results in immediate account deletion. By providing consent, the parent or caregiver, and the minor, acknowledge that health, biometric, and emotional wellness data will be collected and processed as described in this Policy. We design the minor experience to be age-appropriate, and we do not use a minor's data for marketing or advertising.
Your data may be stored and processed in the United States and other jurisdictions where our service providers operate. By using DeBrah, you consent to these transfers. We implement appropriate safeguards including Standard Contractual Clauses (SCCs) and comply with GDPR (European Union), CCPA/CPRA (California), and other applicable data protection laws. Health Data Compliance: MiAngel applies HIPAA-grade administrative, physical, and technical safeguards uniformly across both DeBrah Personal and DeBrah Clinical, as a deliberate, self-imposed design standard and a core part of our Trust Layer, regardless of whether a particular deployment is legally subject to HIPAA. HIPAA compliance is a standard of adherence we hold ourselves to, not a government certification. For consumer use of DeBrah Personal, MiAngel is generally not acting as a HIPAA covered entity. Where MiAngel processes protected health information (PHI) on behalf of healthcare providers or other covered entities, including DeBrah Clinical deployments, MiAngel operates as a HIPAA Business Associate under executed Business Associate Agreements (BAAs), and enters BAAs with the model and infrastructure providers that process such data on our behalf. DeBrah is not a medical device and does not provide medical diagnoses or treatment; its insights are for informational and wellness purposes only.
If you have questions about this Privacy Policy, reach us at legal@miangel.ai
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Non-material changes (formatting, clarifications) may take effect immediately upon posting. Material changes, including modifications to data collection practices, retention periods, third-party sharing, or your rights, require at least thirty (30) days advance notice via email or in-app notification before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy. The "Last Updated" date at the top of this page indicates the most recent revision. We maintain a changelog of material modifications, available upon request at legal@miangel.ai.
In this Policy, "MiAngel," "we," and "us" refer to MiAngel, Inc. "DeBrah" is MiAngel's AI companion product (offered as DeBrah Personal for consumers and DeBrah Clinical for healthcare deployments), and "GMAI" (MiAngel Middleware AI) is the patent-pending trust layer that governs every DeBrah interaction. This Policy applies to your use of DeBrah and the MiAngel platform.
Personal: Personal Information: Name, email, demographic data, and other details you provide during registration or profile setup.
Chat: Chat Data: Content of your conversations with DeBrah, MiAngel's AI companion, including emotional states, mental health check-ins, and AI-generated insights.
Usage: Usage Data: Device information, IP address, browser type, log data, interaction patterns, and feature usage analytics.
Health: Health & Biometric Data: With your explicit consent, we collect health and biometric data from the wearable integrations you connect, currently Fitbit (now part of Google) and Withings, such as heart rate, heart rate variability (HRV), sleep duration and quality, activity levels, steps, calories burned, and other measurements provided by those devices. We collect only from integrations you actively connect, and you can disconnect them at any time.
Mood: Emotional Wellness Data: Mood logs, journal entries, emotional patterns, wellness goals, progress milestones, and self-reported mental health indicators.
Predictive: Derived Insights: AI-generated pattern recognition and wellness recommendations based on your aggregated data (mood, biometrics, and behavior). These insights are for wellness and informational purposes only and are not a medical diagnosis, prediction, or treatment.
Emergency: Emergency Contact Information: If you opt-in to the MiAngel Safety Net feature, we collect the name, phone number, email, and relationship of your designated emergency contact(s). This information is used exclusively for proactive crisis intervention notifications and is encrypted at rest.
Service Delivery: To provide core features including AI chat, mood tracking, journaling, and personalized wellness insights.
Health Analytics: To recognize patterns across your emotional state, biometric data, and behavior and provide wellness insights such as stress-pattern recognition and mood trends. These insights are for wellness purposes only and are not medical predictions, diagnoses, or treatment.
Personalization: To tailor AI responses, wellness recommendations, and intervention timing based on your unique health profile and emotional patterns.
Research & Development: To train and improve AI models using anonymized, aggregated, and de-identified data. Individual identities are never included in training datasets. Our de-identification process includes: removal of direct identifiers (name, email, phone number, IP address), replacement of quasi-identifiers with generalized categories, k-anonymity verification to ensure no individual can be re-identified from the remaining data, and separate storage of any linkage keys with strict access controls. De-identified datasets are reviewed by our data governance team before use in model training.
Risk Management: To detect potential mental health crises and provide appropriate escalation to human support or emergency services when needed.
MiAngel Safety Net Emergency Contact Notification: If you opt in, we use your emergency contact information to notify your designated contact(s) when DeBrah detects signs of acute distress in your conversations, such as self-harm language. Notification timing may range from minutes to hours, requires your explicit and revocable consent, and is a safety pathway that cannot guarantee intervention or emergency response.
Platform Integration: To sync data with the wearable devices you connect (currently Fitbit, now part of Google, and Withings) via their authorized APIs to maintain accurate health profiles.
Clinical Support: With your explicit consent, to share longitudinal wellness data with your healthcare providers through our HIPAA-aligned clinical dashboard.
Product Improvement: To analyze feature usage, identify bugs, and enhance user experience across the platform.
You own your personal data. MiAngel is the custodian of your data and may process it as described in this policy. We retain your data for as long as your account is active or as needed to provide services.
Data Retention Schedule by Category: Personal Information (name, email, demographics), retained for the duration of your account plus 30 days after deletion. Chat & Conversation Data, retained for the duration of your account. Health & Biometric Data (wearable integrations), retained for up to 5 years from the date of collection to enable longitudinal trend analysis, unless you request earlier deletion. Emotional Wellness Data (mood logs, journal entries), retained for the duration of your account. Derived Insights & Predictive Analytics, retained for up to 5 years from the date of generation in identifiable form; de-identified data (subject to k-anonymity verification with k≥5) may be retained indefinitely for research and AI model training. Emergency Contact Information, retained for the duration of your Safety Net opt-in; deleted within 30 days of opting out. Usage & Analytics Data, retained for up to 2 years. SMS Message Records, retained for up to 1 year for compliance and delivery verification.
Upon account deletion, all personally identifiable information is permanently removed within 30 days. Anonymized, de-identified data that has already been incorporated into aggregate training datasets cannot be extracted and may persist indefinitely. You can request a complete data export or deletion at any time through your account settings or by contacting legal@miangel.ai.
When you connect Google Health, MiAngel accesses, with your explicit consent, read-only Google Health data across three categories — activity and fitness, health metrics and measurements, and sleep.
MiAngel's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically: we use this data only to provide and improve the user-facing wellness features you request; we do not transfer it to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with your consent; we never use it for advertising; and no human reads this data unless (a) you give specific consent, (b) it is necessary for security purposes such as investigating abuse, (c) doing so is required to comply with applicable law, or (d) the data has been aggregated and de-identified.
Your data is protected by MiAngel Middleware AI (GMAI), our patent-pending cryptographic trust layer that governs every DeBrah interaction. Every interaction is: (1) Cryptographically Authenticated: biometric or device attestation verifies your identity before sensitive data is accessed. (2) Policy-Bound: AI interactions are governed by machine-enforced policies that cannot be overridden. (3) Audit-Trail Protected: every data access is recorded in a tamper-evident, hash-linked audit chain. (4) Deny-by-Default: private memory and health data remain encrypted and inaccessible without verified authentication. (5) Privacy-Boundary Pseudonymization: before your conversation data is sent to any third-party AI model, a single pseudonymization pass replaces personal names and structured identifiers (such as SSN, MRN, NPI, and DEA numbers) with consistent pseudonyms, and real values are restored only after the response returns and is verified, so the model provider receives minimized, pseudonymized context. We also employ AES-256 encryption at rest, TLS 1.3 in transit, regular security audits and penetration testing, role-based access controls, automated threat monitoring, and secure API integrations. No system is perfectly secure, but GMAI provides verifiable, enterprise-grade protection designed for regulated healthcare environments.
Access: Access & Export: You can request a complete copy of all your data (personal, health, chat logs, mood history) in machine-readable format at any time through your account settings or by contacting legal@miangel.ai.
Delete: Deletion (Right to Erasure): Under GDPR Article 17 and applicable state laws, you can request full account deletion. Grounds for erasure include: withdrawal of consent, data no longer necessary for its original purpose, objection to processing, or unlawful processing. Upon request, we will permanently remove all personally identifiable information within 30 days. Note: Anonymized data used in AI training cannot be extracted once de-identified, as it is no longer personal data under applicable law.
Wearables: Disconnect Wearables: You can disconnect any linked wearable device (Fitbit, Oura, Apple Health, etc.) at any time from your account settings. Past data will be retained but no new data will be collected from that device.
Consent: Manage Consent: You can revoke consent for clinical data sharing with healthcare providers at any time. This will immediately stop future data sharing but cannot recall information already shared.
OptOut: Marketing & Communications: Unsubscribe from promotional emails, push notifications, or marketing communications. Service-critical notifications (security alerts, policy updates) cannot be disabled.
Portability: Data Portability: You have the right to receive your data in a structured, commonly used format and transmit it to another service provider.
Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites requesting that your browsing activity not be tracked. MiAngel currently does not respond to DNT browser signals. However, you can manage your privacy preferences through the cookie consent controls provided on our site, your account settings, and the data rights described in Section 13 above. We honor opt-out requests made through these mechanisms regardless of your DNT browser setting. California residents: Under CalOPPA, we are required to disclose how we respond to DNT signals. As stated above, we do not currently alter our data collection and use practices in response to DNT signals, but you retain full control over your data through the rights described in this policy.
We use the following categories of sub-processors to operate MiAngel. Each processor is contractually bound to protect your data, limit processing to specified purposes, and comply with applicable data protection laws:
Cloud Infrastructure & Storage: Google Cloud Platform / Firebase (United States), hosting, database, authentication infrastructure, and Cloud Functions.
AI Processing: OpenAI (United States) and Google Vertex AI (United States), natural language processing for DeBrah conversations, both engaged under executed HIPAA Business Associate Agreements where PHI is processed. Anthropic (United States) is used for non-PHI processing only; a BAA with Anthropic is in execution, and PHI is not routed to Anthropic until that agreement is in force. Data sent to AI processors is subject to our pseudonymization controls.
Wearable & Health Integrations: Fitbit (now part of Google) and Withings, accessed through their authorized APIs only for the integrations you connect.
Email Communications: Resend (United States), transactional and marketing email delivery.
Analytics: Google Analytics (United States), anonymized usage analytics and site performance monitoring.
Security & CAPTCHA: Cloudflare (United States), CDN, DDoS protection, and Turnstile CAPTCHA verification.
SMS Messaging: Third-party SMS gateway (United States), delivery of opt-in text message notifications.
Data Processing Agreements: MiAngel has executed Data Processing Addendums (DPAs) incorporating Standard Contractual Clauses (SCCs) with all listed sub-processors. For EEA-to-US transfers, these DPAs are supplemented by technical safeguards including AES-256 encryption, access controls, and audit trails. Complete DPAs are available upon request at legal@miangel.ai.
Sub-Processor Change Notification: We will update this list when we add or replace sub-processors. Material changes to sub-processors that handle health or biometric data will be communicated via email notification to affected users at least 30 days before the change takes effect. You may object to a new sub-processor by contacting legal@miangel.ai within that 30-day period.
You have the right to lodge a complaint with the appropriate regulatory authority if you believe your data has been handled in violation of applicable law:
United States, Federal Trade Commission (FTC): File a complaint at reportfraud.ftc.gov or call 1-877-FTC-HELP (1-877-382-4357).
United States, State Attorney General: Contact your state attorney general's office for state-specific privacy complaints. Florida residents may contact the Florida Attorney General at myfloridalegal.com.
California Residents (CCPA): You may exercise your rights under the California Consumer Privacy Act by contacting legal@miangel.ai or through your account settings.
European Union / EEA (GDPR): You may lodge a complaint with your local Data Protection Authority (DPA). A list of DPAs is available at edpb.europa.eu.
United Kingdom: Contact the Information Commissioner's Office (ICO) at ico.org.uk.
For any privacy-related complaints, we encourage you to contact us first at legal@miangel.ai so we can attempt to resolve your concern directly.
For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a lawful basis for data processing, we rely on the following legal bases under GDPR Articles 6 and 9:
Contractual Necessity (Article 6(1)(b)): Processing personal data necessary to provide the MiAngel Service you have requested, including AI companion interactions, mood tracking, journaling, and account management.
Consent (Article 6(1)(a) and Article 9(2)(a)): Processing of health data, biometric data, and emotional wellness data requires your explicit consent, which you provide during registration and device connection. You may withdraw consent at any time through your account settings or by contacting legal@miangel.ai. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.
Legitimate Interest (Article 6(1)(f)): Processing for product improvement, fraud prevention, platform security, and aggregated analytics where our interests do not override your fundamental rights. We conduct Legitimate Interest Assessments (LIAs) for each processing activity relying on this basis, and these assessments are available upon request.
Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, including tax requirements, regulatory requests, court orders, and mandatory reporting obligations.
Vital Interest (Article 6(1)(d)): In rare cases, processing may be necessary to protect your vital interests or those of another person, such as when our Safety Net feature detects imminent risk of self-harm.
Special Category Data (Article 9): Health data, biometric data, and data concerning mental health constitute special category data under GDPR. We process this data only with your explicit consent (Article 9(2)(a)) or where necessary to protect vital interests (Article 9(2)(c)). We do not process special category data for marketing, profiling for advertising, or any purpose beyond the specific wellness services you have consented to.
Data Subject Request Response Times: We will respond to all data subject access requests (DSARs), deletion requests, and portability requests within thirty (30) days of receipt, as required by GDPR Article 12(3). Where requests are complex or numerous, we may extend this period by an additional sixty (60) days, with notice to you. For CCPA requests, we will respond within forty-five (45) days as required by California Civil Code Section 1798.130.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following additional rights:
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your personal information was collected, our business or commercial purpose for collecting or sharing your personal information, the categories of third parties with whom we share your personal information, and the specific pieces of personal information we have collected about you in the preceding 12 months.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing service delivery, security incident detection).
Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale or Sharing: MiAngel does NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, no opt-out mechanism is required; however, you may still contact us at legal@miangel.ai if you have concerns about data sharing.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information (including health data) to purposes necessary to provide the Service. MiAngel already limits the use of sensitive personal information to service delivery, security, and the specific wellness features you have opted into.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access levels for exercising your privacy rights.
Other State Privacy Laws: Residents of states with comprehensive or consumer-health privacy laws, including Washington's My Health My Data Act, Nevada SB 370, and comprehensive laws in states such as Virginia, Colorado, Connecticut, and Texas, have additional rights over consumer health data and sensitive data. MiAngel obtains consent before collecting consumer health data and extends core access, deletion, correction, and consent-withdrawal rights to all users regardless of state. Contact legal@miangel.ai to exercise these rights.
Categories of Personal Information Collected (preceding 12 months): Identifiers (name, email, IP address); Internet or network activity (browsing history, interaction data); Geolocation data (approximate, derived from IP address); Sensitive personal information (health data, biometric data, emotional wellness data); Inferences drawn from the above categories to create a profile about preferences and characteristics.
To exercise any of these rights, contact us at legal@miangel.ai or through your account settings. We will verify your identity before processing any request. You may designate an authorized agent to submit a request on your behalf, provided the agent has your written permission and we can verify your identity.
MiAngel is a wellness platform, not a licensed healthcare provider. However, you should be aware of the following regarding legal disclosure obligations:
Law Enforcement Requests: We may be compelled to disclose user data in response to valid legal process, including subpoenas, court orders, or search warrants. We will notify you of such requests unless legally prohibited from doing so (e.g., by a court order or federal law such as 18 U.S.C. Section 2705).
Imminent Harm: If we have a good-faith belief that there is an imminent threat of death or serious bodily injury to you or another person, we may disclose relevant information to law enforcement or emergency services without prior notice to you, consistent with 18 U.S.C. Section 2702(b)(8) and applicable state laws.
Child Safety: If we become aware or reasonably suspect that a user under 18 is in danger of abuse, neglect, or exploitation, we may report the situation to relevant authorities as required or permitted by applicable state mandatory reporting laws (e.g., Florida Statutes Section 39.201). MiAngel employees and AI systems are not designated mandatory reporters under most state laws; however, we reserve the right to report credible threats to the safety of minors.
Limitations of Confidentiality: While we protect your privacy rigorously, conversations with DeBrah, MiAngel's AI companion, are NOT protected by therapist-patient privilege, attorney-client privilege, or any other legal privilege. MiAngel is not a licensed healthcare provider, and AI-generated conversations do not create a therapeutic or medical relationship. Information disclosed during AI conversations may be subject to legal discovery or subpoena in civil or criminal proceedings.
Transparency Reports: MiAngel, Inc. will publish an annual transparency report disclosing the number and types of government and law enforcement requests for user data received, complied with, and challenged during the preceding calendar year. This report will be available at legal@miangel.ai upon request.
In the event of a data breach involving your personal information, health data, or biometric data, MiAngel, Inc. commits to the following notification protocol:
Timing: We will notify affected users without unreasonable delay, and no later than seventy-two (72) hours after becoming aware of the breach, consistent with GDPR Article 33, Florida Statutes Section 501.171 (30-day maximum), California Civil Code Section 1798.82, and New York General Business Law Section 899-aa.
Content of Notification: Our breach notice will include: (a) a description of the nature of the breach; (b) the categories and approximate number of data records concerned; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate adverse effects; (e) contact information for our privacy team at legal@miangel.ai.
Regulatory Notification: Where required by law, we will notify the appropriate supervisory authority (GDPR), state attorney general, or other regulatory body within the timeframes mandated by applicable law.
Remediation: Depending on the nature and severity of the breach, we may offer affected users identity monitoring services, credit monitoring, or other appropriate remediation at no cost.
Backup Data Retention: Upon account deletion, personally identifiable data is purged from primary systems within 30 days. Encrypted backup copies may persist in disaster recovery archives for up to 90 days before permanent purging. Data that has been fully de-identified and incorporated into aggregate training datasets cannot be extracted and is no longer personal data under applicable law.
Incident Response: MiAngel, Inc. maintains a documented incident response plan that is tested and updated at least annually. Our plan includes procedures for containment, investigation, remediation, notification, and post-incident review.